b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Progress Has Been Slow in Meeting\n                 Homeland Security Presidential Directive\xe2\x80\x9312\n                              Requirements\n\n\n\n                                           June 20, 2007\n\n                              Reference Number: 2007-20-110\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             June 20, 2007\n\n\n MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n\n FROM:                  (for) Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Progress Has Been Slow in Meeting Homeland\n                             Security Presidential Directive\xe2\x80\x9312 Requirements (Audit # 200620027)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) took the necessary actions to comply with Homeland Security Presidential Directive-12\n requirements. This audit was part of the statutory audit coverage under the Information Systems\n Programs area and is included in the Treasury Inspector General for Tax Administration Fiscal\n Year 2006 Annual Audit Plan.\n\n Impact on the Taxpayer\n The IRS has been experiencing delays in issuing new identification cards to employees and\n contractors that enhance security, reduce identity fraud, and protect the personal privacy of\n employees and contractors. Initially, the IRS was developing its own system for issuing the\n cards rather than joining with other Federal Government agencies that had already incurred much\n of the upfront costs associated with this effort. Consequently, the IRS was at risk of wasting\n taxpayer funds and delaying the implementation of this Presidential mandate.\n\n Synopsis\n On August 27, 2004, President Bush signed Homeland Security Presidential Directive-12, Policy\n for a Common Identification Standard for Federal Employees and Contractors. The Directive,\n which is to be implemented in several phases, established a new standard for issuing and\n processing Federal Government identification cards for entering Federal Government facilities\n and for accessing computer systems. In the first phase, Personal Identity Verification (PIV) I,\n the Office of Management and Budget required agencies to develop procedures no later than\n\x0c                      Progress Has Been Slow in Meeting Homeland Security\n                             Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\nOctober 2005 for registering employees, issuing cards, and maintaining the card system. In the\nsecond phase, PIV II, the Office of Management and Budget required agencies to demonstrate\ntheir ability to issue the identification cards and be capable of issuing new cards to all new\nemployees and contractors no later than October 2006.\nTo satisfy the requirements of PIV I, the IRS completed its PIV I Procedures Manual on\nOctober 27, 2005. This manual contains step-by-step instructions that address PIV I\nrequirements.\nHowever, the IRS has been experiencing delays in meeting the requirements of PIV II. Initially,\nthe IRS was attempting to produce its own identification cards but had not demonstrated the\nability to issue them. Despite assigning 68 employees and contractors to this effort, the IRS had\nnot yet purchased the hardware and software necessary to produce the identification cards and\ndid not expect to complete the program until September 2010, 2 years after the Office of\nManagement and Budget mandated deadline.\nThe IRS stated, however, that it met the PIV II milestone because it contracted with the General\nServices Administration (GSA) for 100 identification cards to meet the Office of Management\nand Budget deadline, even though it did not plan to use the GSA to issue additional identification\ncards after the PIV II milestone. The GSA is making its solution available to all Federal\nGovernment agencies and, due to economies of scale, we believe the GSA should be able to\nissue the cards less expensively than agencies that produce their own cards.\nThe IRS was continuing to develop its own system for issuing identification cards because it\nbelieved it could issue cards that would meet all required technical specifications at less expense.\nHowever, the IRS had not provided cost projections for this Department of the Treasury\ninitiative. The IRS also stated it believed it was in a better position than the GSA to produce and\ndistribute identification cards at all Department of the Treasury office locations, provide\ncompatible technology to identify and authenticate employees, and produce and distribute\nidentification cards for the large number of temporary employees the IRS hires during the tax\nreturn filing season.\nWe believe the IRS was taking unnecessary risks, not only because its costs are likely to exceed\nthe GSA solution, but because it was taking resources away from tax administration duties,\nincreasing the likelihood of its cards being incompatible with other agencies, and likely will be\ndelivering its system later than other agencies. During the course of this audit, we made the\nfollowing recommendation to the IRS to consider the benefits of using a shared solution.\n\nRecommendation\nTo reduce costs and to improve the likelihood of meeting the Office of Management and\nBudget\xe2\x80\x99s subsequent milestones for developing identification cards compliant with Homeland\nSecurity Presidential Directive-12 requirements, we recommended during the course of the audit\n                                                                                                    2\n\x0c                     Progress Has Been Slow in Meeting Homeland Security\n                            Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\nthat the Chief, Mission Assurance and Security Services, consider the benefits of using shared\nsolutions such as the one offered by the GSA for issuing identification cards to IRS employees\nand contractors. Rather than spending resources on developing its own system, we\nrecommended the IRS coordinate with the GSA to resolve concerns and customize the GSA\nsolution to meet IRS needs.\n\nResponse\nIRS management stated the Department of the Treasury Homeland Security Presidential\nDirective-12 Program Management Office, with concurrence from the Department of the\nTreasury Homeland Security Presidential Directive-12 Executive Steering Committee and the\nBureau Advisory Board, agreed with our recommendation. The Program Management Office\nhas discontinued development efforts for a Department of the Treasury-wide enterprise\nHomeland Security Presidential Directive-12 solution. On May 18, 2007, a letter was issued to\nthe GSA stating the IRS\xe2\x80\x99 intention to use the GSA services to the extent possible.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs) at\n(202) 622-8510.\n\n\n\n\n                                                                                                 3\n\x0c                             Progress Has Been Slow in Meeting Homeland Security\n                                    Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Internal Revenue Service Met the First Homeland Security\n          Presidential Directive-12 Milestone .............................................................Page 3\n          All Necessary Actions Were Not Taken to Fully Comply With\n          Homeland Security Presidential Directive-12 ..............................................Page 3\n                    Recommendation 1:..........................................................Page 5\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 7\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 8\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 9\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 10\n\x0c          Progress Has Been Slow in Meeting Homeland Security\n                 Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n\n                     Abbreviations\n\nGSA              General Services Administration\nHSPD\xe2\x80\x9312          Homeland Security Presidential Directive\xe2\x80\x9312\nIRS              Internal Revenue Service\nPIV              Personal Identity Verification\n\x0c                         Progress Has Been Slow in Meeting Homeland Security\n                                Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n\n                                            Background\n\nOn August 27, 2004, President Bush signed Homeland Security Presidential Directive-12\n(HSPD-12), Policy for a Common Identification Standard for Federal Employees and\nContractors. The Directive established a new standard for issuing and processing Federal\nGovernment identification cards for entering Federal Government facilities and for accessing\ncomputer systems. The Directive was designed to enhance security, reduce identity fraud, and\nprotect the personal privacy of employees and contractors issued Federal Government\nidentification. The National Institute for Standards and Technology1 developed Federal\nInformation Processing Standards Publication Personal Identity Verification (PIV) of Federal\nEmployees and Contractors (Publication 201), which contains the minimum standards,\nrecommendations, guidelines, and conformance tests for components for the Federal PIV project.\nEssentially, the PIV project was initiated to standardize identification cards, perform background\nchecks of employees and contractors, and issue identification cards for accessing computer\nsystems.\nThree other Federal Government agencies have specific responsibilities for implementing\nHSPD-12 Governmentwide. The General Services Administration (GSA)2 is responsible for\nassisting agencies in procuring and operating PIV subsystems such as employee identification\ncards and biometric3 card readers. The Office of Management and Budget4 is responsible for\noverseeing implementation of the Directive and is developing implementation guidance for\nFederal agencies. Additionally, the Office of Personnel Management5 is responsible for assisting\nagencies in authenticating and vetting applicants before they are provided identification cards.\nImplementation of HSPD-12 will first be achieved in two phases. In the first phase, PIV I,\nagencies must develop procedures for registering employees, issuing identification cards, and\nmaintaining the identification card system. In the second phase, PIV II, agencies must\ndemonstrate their ability to issue the identification cards and be capable of issuing new cards to\nall new employees and contractors.\n\n1\n  Founded in 1901, the National Institute for Standards and Technology is a non-regulatory Federal agency within\nthe United States Commerce Department\xe2\x80\x99s Technology Administration. Its mission is to promote national\ninnovation and industrial competitiveness by advancing measurement science, standards, and technology in ways\nthat enhance economic security and improve our quality of life.\n2\n  The GSA is an independent Federal agency that manages Federal property, records, and construction.\n3\n  Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic.\nAmong the features measured are face, fingerprints, hand geometry, handwriting, iris, retina, vein, and voice.\n4\n  The Office of Management and Budget is the organization within the Executive Office of the President that\nprepares and administers the Federal budget and improves management in the Executive Branch.\n5\n  The Office of Personnel Management manages the Federal Government\xe2\x80\x99s human resources and its key\nresponsibilities include supporting agencies in recruiting, hiring, and retaining employees.\n                                                                                                           Page 1\n\x0c                      Progress Has Been Slow in Meeting Homeland Security\n                             Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\nThe Office of Management and Budget established deadline dates6 for all Federal agencies to\nbecome compliant, in stages, with HSPD-12:\n    \xe2\x80\xa2   October 27, 2005 \xe2\x80\x93 Agencies must have been PIV I\n        compliant.                                                    The first phase of HSPD-12\n                                                                    required procedural guidelines\n    \xe2\x80\xa2   October 27, 2006 \xe2\x80\x93 Agencies must have been PIV II             to be in place; the second\n        compliant for Governmentwide uniformity and                  phase required identification\n        interoperability.                                                    card issuance.\n\n    \xe2\x80\xa2   October 27, 2007 \xe2\x80\x93 Agencies must verify and/or complete background investigations and\n        issue identification cards for all employees with less than 15 years of service.\n    \xe2\x80\xa2   October 27, 2008 \xe2\x80\x93 Agencies must verify and/or complete background investigations and\n        issue identification cards for all employees with more than 15 years of service.\nIn addition to issuing identification cards, the Internal Revenue Service (IRS) will have to\nintegrate any new systems necessary to operate with the new identification cards into existing\nsecurity, personnel, and other systems. Agencies must consider numerous factors when\nintegrating multiple systems, including physical and logical access issues, privacy matters, and\nsoftware and hardware compatibility. For example, many card readers currently used for\nphysical access are using technology that is up to 20 years old and may not be compatible with\nthe technology necessary to use the new HSPD-12 cards. The Treasury Inspector General for\nTax Administration will continue to monitor these milestones as the IRS starts implementing the\nprogram in more detail.\nOn March 24, 2006, the IRS assumed leadership of the Department of the Treasury HSPD-12\nProgram Management Office. In this role, the IRS is providing leadership to all 13 Department\nof the Treasury bureaus in developing an integrated Department of the Treasury approach for\nmeeting HSPD-12 requirements.\nThis review was performed at the IRS National Headquarters in New Carrollton, Maryland, in\nthe office of the Chief, Mission Assurance and Security Services, during the period June through\nDecember 2006. The audit was conducted in accordance with Government Auditing Standards.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n\n\n6\n Office of Management and Budget Memorandum M-05-24, dated August 5, 2005, Implementation of Homeland\nSecurity Presidential Directive (HSPD)-12.\n                                                                                                Page 2\n\x0c                      Progress Has Been Slow in Meeting Homeland Security\n                             Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n\n                                 Results of Review\n\nThe Internal Revenue Service Met the First Homeland Security\nPresidential Directive-12 Milestone\nThe first HSPD-12 milestone required agencies to comply with the PIV I requirements by\nOctober 27, 2005. Specifically, agencies were required to develop procedures for installing and\nmaintaining identification cards that:\n   \xe2\x80\xa2   Are issued based on sound criteria for verifying an individual\xe2\x80\x99s identity.\n   \xe2\x80\xa2   Are strongly resistant to identity fraud, tampering, counterfeiting, and terrorist\n       exploitation.\n   \xe2\x80\xa2   Can be rapidly authenticated electronically.\n   \xe2\x80\xa2   Are issued by providers whose reliability has been established by an official accreditation\n       process.\nTo satisfy the requirements of PIV I, the IRS completed its PIV I Procedures Manual on\nOctober 27, 2005. This manual contains step-by-step instructions organized into three main\nprocess streams: identity proofing and registration, PIV identification card issuance, and PIV\nidentification card maintenance. This structure follows the organization of Publication 201 PIV I\nrequirements.\nIn addition, on October 24, 2005, the IRS appointed a Designated Accreditation Authority who\ngranted approval for its PIV identification card plan. The Designated Accreditation Authority\ndetermined the Operations Plan and Procedures complied with Publication 201 PIV I\nrequirements and the privacy and security policies were acceptable. We agree with that\nassessment.\n\nAll Necessary Actions Were Not Taken to Fully Comply With\nHomeland Security Presidential Directive-12\nTo comply with PIV II, the Office of Management and Budget directed agencies to demonstrate\nby October 27, 2006, their ability to issue the new identification cards. In addition, by that date\nagencies were required to issue and require the use of identification cards for all new employees\nand contractors. Currently, the IRS can do neither.\nThe IRS claims, however, that it met the milestone for PIV II because it contracted with the GSA\nfor 100 identification cards to meet the Office of Management and Budget deadline. The GSA\n\n                                                                                             Page 3\n\x0c                           Progress Has Been Slow in Meeting Homeland Security\n                                  Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\nhad contracted with a vendor to develop an HSPD-12 solution all agencies could use that\nincluded registering employees, ensuring their identities, and producing and issuing\nidentification cards.\nThe GSA produced the identification cards timely. While the cards contained errors such as the\nwrong address and misspellings, they otherwise met Publication 201 guidelines.\nThe IRS stated it met the PIV II milestone, even though it did not\nplan to use the GSA solution or any other solutions already\n                                                                      The IRS is not yet capable of\navailable to Federal agencies. Instead, the IRS was attempting to       issuing new identification\nproduce its own identification cards but had not yet demonstrated    cards as required by HSPD-12.\nits ability to do so. At least 68 employees and contractors were\nassigned to the IRS HSPD-12 Program Management Office, but it\nstill had not purchased the hardware and software necessary to produce the identification cards\nand did not expect to complete the program until September 2010, 2 years after the Office of\nManagement and Budget mandated deadline.\nThe IRS believed it could develop its own system to issue cards that meet all required technical\nspecifications at less cost than the GSA and it was in a better position to:\n      \xe2\x80\xa2    Provide and distribute identification cards at all Department of the Treasury locations.\n           The GSA plans to have over 225 enrollee stations (25 mobile) throughout the country that\n           will service up to 80 percent of the Federal workforce, while the Department of the\n           Treasury plans to have 80 enrollment stations. The IRS was concerned about the costs\n           involved with employees having to travel to the GSA locations and the time it would take\n           to issue the identification cards at these locations.\n      \xe2\x80\xa2    Provide compatible technology to identify and authenticate employees. The previous\n           GSA solution relied on technology that may not have been compatible with existing\n           Department of the Treasury software that authenticates computer users\xe2\x80\x99 identities.\n      \xe2\x80\xa2    Provide and timely distribute identification cards for the large number of temporary\n           employees the IRS hires for the annual tax return filing season.7 The IRS stated its hiring\n           practices for temporary and other employees requires identification cards to be issued\n           almost immediately after employees are hired, something they doubted the GSA solution\n           could accomplish.\nIn addition to the error-prone cards it produced for the IRS, the GSA solution has also\nexperienced problems. Most significantly, the contract with its vendor was suspended and\nproduction was consequently stopped. We believe the barriers mentioned by the IRS could be\novercome through coordination with the GSA. In addition, we believe the GSA solution, when\navailable, offers several advantages over the IRS approach. Specifically:\n\n7\n    The period from January through mid-April when most individual income tax returns are filed.\n                                                                                                   Page 4\n\x0c                     Progress Has Been Slow in Meeting Homeland Security\n                            Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n   \xe2\x80\xa2   The GSA previously estimated the cost for a GSA-developed identification card to be\n       approximately $110 plus annual maintenance costs of $52. As of April 10, 2007, the IRS\n       has not provided cost projections for this Department of the Treasury initiative but we\n       believe the cost could be substantially greater than GSA\xe2\x80\x99s estimate. The GSA solution\n       should be less expensive due to economies of scale. By producing cards for multiple\n       agencies, the fixed costs for producing the cards can be allocated over a much greater\n       number of cards, thus reducing the cost per card. The Department of Agriculture,\n       Department of Commerce, and Department of Energy have already agreed to implement\n       the GSA solution once it resumes operation.\n   \xe2\x80\xa2   The IRS solution will require staffing resources to be devoted to developing, piloting, and\n       implementing its system, taking resources away from tax administration duties, while the\n       GSA solution will lessen the staffing resources needed to implement and develop the\n       program.\n   \xe2\x80\xa2   The GSA solution increases the likelihood that agencies have a consistent solution. All\n       agencies will have to modify the cards to interface with their computer systems, but the\n       GSA solution will help ensure consistency.\n   \xe2\x80\xa2   The GSA solution is more likely to be implemented faster. Even with the GSA\xe2\x80\x99s\n       contracting delays, it still expects to award a contract by March 28, 2007, and begin\n       issuing cards by June 2007, while, as we mentioned earlier, the IRS does not expect to\n       complete deployment until September 2010, nearly 2 years after the Office of\n       Management and Budget milestone.\n   \xe2\x80\xa2   Once implemented, the GSA solution will offer a proven system, while the IRS may still\n       be in the development stages. As a result, the IRS is taking an additional risk of delaying\n       implementation.\nIn summary, the IRS was at risk of wasting taxpayer funds and delaying the implementation of\nthis Presidential mandate. During the course of this audit, we made the following\nrecommendation to consider the benefits of using a shared solution.\n\nRecommendation\nRecommendation 1: To reduce costs and improve the likelihood of meeting the Office of\nManagement and Budget\xe2\x80\x99s subsequent milestones for developing identification cards compliant\nwith HSPD-12 requirements, we recommended during the course of this audit that the Chief,\nMission Assurance and Security Services, consider the benefits of using shared solutions such as\nthe one offered by the GSA for issuing identification cards to IRS employees and contractors.\nRather than spending resources on developing its own system, we recommended the IRS\ncoordinate with the GSA to resolve concerns and customize the GSA solution to meet IRS needs.\n\n\n                                                                                           Page 5\n\x0c             Progress Has Been Slow in Meeting Homeland Security\n                    Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\nManagement\xe2\x80\x99s Response: The Treasury HSPD-12 Program Management Office,\nwith concurrence from the Department of the Treasury HSPD-12 Executive Steering\nCommittee and the Bureau Advisory Board, agreed with the recommendation. The\nProgram Management Office has discontinued development efforts for a Department of\nthe Treasury-wide enterprise HSPD-12 solution. On May 18, 2007, a letter was issued to\nthe GSA stating the IRS\xe2\x80\x99 intention to use GSA services to the extent possible.\n\n\n\n\n                                                                                Page 6\n\x0c                     Progress Has Been Slow in Meeting Homeland Security\n                            Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n                                                                                 Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS took the necessary actions\nto comply with HSPD-12 requirements. To accomplish this objective, we:\nI.     Determined whether the IRS met the HSPD-12 requirements for Federal Information\n       Processing Standards Publication 201 PIV I compliance by October 27, 2005.\n       A. Compared the IRS\xe2\x80\x99 procedures to Publication 201 standards for:\n           1. Control objectives.\n           2. Personnel identity proofing and registration.\n           3. Card issuance and maintenance.\n           4. Privacy.\n           5. Background investigations.\n       B. Determined whether the procedures were approved in writing.\n       C. Determined whether the implementation plan was timely submitted and approved by\n          the Office of Management and Budget.\nII.    Determined whether the IRS had procedures in place to be PIV II compliant by\n       October 27, 2006.\n       A. Reviewed the IRS business case for PIV II compliance.\n       B. Reviewed the IRS budget for HSPD-12.\n       C. Reviewed the IRS infrastructure and procedures for the issuance of PIV cards.\n\n\n\n\n                                                                                          Page 7\n\x0c                    Progress Has Been Slow in Meeting Homeland Security\n                           Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nThomas Polsfoot, Audit Manager\nDavid Brown, Senior Auditor\nGeorge Franklin, Senior Auditor\nJimmie Johnson, Senior Auditor\n\n\n\n\n                                                                                         Page 8\n\x0c                   Progress Has Been Slow in Meeting Homeland Security\n                          Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Information Officer OS:CIO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                         Page 9\n\x0c      Progress Has Been Slow in Meeting Homeland Security\n             Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n                                                 Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                        Page 10\n\x0cProgress Has Been Slow in Meeting Homeland Security\n       Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n\n                                                  Page 11\n\x0cProgress Has Been Slow in Meeting Homeland Security\n       Presidential Directive\xe2\x80\x9312 Requirements\n\n\n\n\n                                                  Page 12\n\x0c'